samhain is a daemon that can check file integrity, search the file tree for SUID files, and detect kernel module rootkits (Linux only). It can be used either standalone or as a client/server system for centralized monitoring, with strong (192-bit AES) encryption for client/server connections and the option to store databases and configuration files on the server. For tamper resistance, it supports signed database/configuration files and signed reports/audit logs. It has been tested on Linux, FreeBSD, Solaris, AIX, HP-UX, and Unixware.
Release Notes: Support for sha2-256 has been added and some bugs have been fixed.
Release Notes: A regression in the handling of growing log files has been fixed. For compiling with the kernel check option, the detection of an existing yet non-functional /dev/kmem device has been improved.
Release Notes: Log rotation can be handled more gracefully now. An option to ignore modifications of transient files during their lifetime has been added, and it is possible now to build a Debian client package with a preset password. A problem with large groups has been fixed, as well as reconnecting to a temporarily unavailable Oracle database.
Release Notes: This release fixes a regression that made samhain block indefinitely if the inotify mode for file checking was used.
Release Notes: Some build errors have been fixed, as well as the 'probe' command for the server (clients could be erroneously omitted under certain conditions). An option has been added to the Windows registry check to ignore changes if only the timestamp has changed, and full scans requested by the inotify module will now only run at times configured for regular full scans.